1. 背景
项目上有些服务器是CentOS,使用firewalld作为防火墙。
经常需要对firewalld进行设置,故此记录一下。
2. 启动firewalld
# 启动防火墙
systemctl start firewalld.service
# 设置开机启动防火墙
systemctl enable firewalld.service
# 停止防火墙/关闭防火墙
systemctl stop firewalld.service
3. 开放/删除-访问规则
# 开放80端口供TCP访问(--permanent:持久化;--zone:规则作用域)
firewall-cmd --zone=public --add-port=80/tcp --permanent
# 删除端口访问(区别仅在于--add-port修改为--remove-port)
firewall-cmd --zone=public --remove-port=8898/tcp --permanent
# 开放8888端口供192.168.157.10主机通过TCP访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.157.10" port protocol="tcp" port="8888" accept"
# 开放18888端口供192.168.2.14/25网段主机通过TCP访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.2.14/25" port protocol="tcp" port="18888" accept"
# 删除添加的规则(区别仅在于--add-rich-rule修改为--remove-rich-rule)
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.157.10" port protocol="tcp" port="8888" accept"
# 注意,需要执行如下命令,规则方能生效
firewall-cmd --reload
4. 查看策略
# 查看防火墙规则(显示public作用域的策略)
firewall-cmd --list-all
# 查看所有的防火墙策略(显示所有域的策略)
firewall-cmd --list-all-zones
# 查看所有开放的端口
firewall-cmd --list-ports
还有种方式:
[root@stress5 zones]# cd /etc/firewalld/zones/
[root@stress5 zones]# ll
total 8
-rw-r--r-- 1 root root 723 Nov 3 12:32 public.xml
-rw-r--r--. 1 root root 598 Nov 3 11:37 public.xml.old
# 因为当前设置局限于public区域,因此仅包含public.xml(可直接修改,执行firewall-cmd --reload即可生效)
[root@stress5 zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="mdns"/>
<service name="dhcpv6-client"/>
<rule family="ipv4">
<source address="192.168.1.1/24"/>
<port port="22" protocol="tcp"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.1.1/24"/>
<port port="18888" protocol="tcp"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.2.14/25"/>
<port port="18888" protocol="tcp"/>
<accept/>
</rule>
<forward/>
</zone>
5. 高级用法
# 拒绝192.168.8.101的所有流量(注意作用域是work)
firewall-cmd --permanent --zone=work --add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'
# 接受192.168.1.0/24子网端口范置8000-9000的TCP流量
firewall-cmd --permanent --one=work --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept'
# 丢弃所有icmp包
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
# 接受来自192.168.8.1的http流量,并记录日志(日志前缀使用NEW HTTP)
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name="http" log level=notice prefix= "NEW HTTP" limit value "3/s" accept'
更多使用指南可参考:CentOS 上的 FirewallD 简明指南